Skip site navigation (1) Skip section navigation (2)

First cut at mkcert

From: Bear Giles <bgiles(at)coyotesong(dot)com>
To: pgsql-hackers(at)postgresql(dot)org, pgsql-patches(at)postgresql(dot)org
Subject: First cut at mkcert
Date: 2002-05-20 18:29:54
Message-ID: 200205201829.MAA14359@eris.coyotesong.com (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-patches
Attached is the first cut at mkcert.sh, a tool to create PostgreSQL
server certificates.  It also sets up a directory suitable for the
OpenSSL CA tool, something that can be used to sign client certs.

The root cert should be added to the backend SSL cert verification
tools, and copied to user's .postgresql directory so the client
can verify the server cert.  This one root cert can be used for
multiple server certs in addition to all client certs. 

Also, this script sets up DSA keys/certs.  With empheral DH keys the
server (and client) keys are only used to sign the emphermal keys,
so you can use DSA keys.  Without emphermal keys you would need to
use RSA keys since those keys are used for encryption in addition
to signing.

Some predictable changes:

1) the root key should be encrypted, since it isn't necessary for
   the system to boot.  (Extreme case: the root key should be
   kept off the hard disk, perhaps in a smart cart.)

2) the 'openssl.conf' file could be split into 'root.conf' and
   'server.conf' files so the prompts can be a bit more suggestive.
   There should also be a 'client.conf' file for client certs,
   and it should be copied to /etc/postgresql and visible to clients.

   (To avoid the hassles of requiring clients have the OpenSSL
   tools bundled, pgkeygen should be a binary program instead of
   a script.)

3) there should be a sample domain-component config file in addition
   to the geopolitical one.  That gives DNs like

     DC=com/DC=example/CN=eris.example.com/email=postgres(at)example(dot)com

   instead of

     C=US/ST=Colorado/O=Snakeoil/CN=eris.example.com/email=postgres(at)example(dot)com

Bear

pgsql-hackers by date

Next:From: Peter EisentrautDate: 2002-05-20 19:11:28
Subject: Language-specific initialization actions
Previous:From: Manuel SugawaraDate: 2002-05-20 18:22:14
Subject: Re: Redhat 7.3 time manipulation bug

pgsql-patches by date

Next:From: Bear GilesDate: 2002-05-20 20:03:54
Subject: First cut at SSL documentation
Previous:From: Dave PageDate: 2002-05-20 15:11:36
Subject: Re: More schema queries

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group